TheOnion:Until someone figures out how to quickly factor large prime numbers, modern public key encryption is effectively unbreakable. It's possible that the NSA has that kind of technology, but if they are withholding it they are holding back an incredibly important advancement in both mathematics and humanity. Which is probably the kind of thing they'd do

TheOnion:Until someone figures out how to quickly factor large prime numbers, modern public key encryption is effectively unbreakable. It's possible that the NSA has that kind of technology, but if they are withholding it they are holding back an incredibly important advancement in both mathematics and humanity. Which is probably the kind of thing they'd do

Just read this, was great http://www.amazon.com/The-Code-Book-Break-Crack/dp/0385729138/ref=sr_ 1 _4?ie=UTF8&qid=1378428556&sr=8-4&keywords=the+code+book

That's all well an good, if the implementation is perfect and the system doing the crypto is otherwise secure... which it almost never is.

If "any code can be broken," then the the government wouldn't spend so much time trying to legally force you to incriminate yourself by making you hand over your passwords and encryption keys. They would simply decrypt your files without even bothering to contact you.

1. Working behind the scenes to keep the public encryption standards just weak enough that they can break them if they want to.2. Building back-doors into a lot of popular software.3. Working on things like keyloggers and other ways to pull the data off targeted devices without having to break the encryption.4. Working tirelessly on new decryption algorithms, and specialized supercomputers to run them effectively.

Yes and even with all that, it gives them your CC number.

Were there people stupid enough to think that SSL HTTPS was a secure standard? Despite the numerous times it's been shown to be either completely broken, or partially broken? Or the fact that you can simply MitM the server? SSL was designed to be secure against casual snooping, it was never designed to be secure for more than a few hours in any case.

There is an old thought process about encryption. It goes roughly like this... How valuable is the material? How time sensitive is it? Now pick an algorithm that exceeds both those values.

Because the bottom line has always been that nearly any encryption can be broken, you just need it to hold long enough to get past the useful time frame of the information. It's long been thought that SSL was good enough for it's use because criminal elements don't have the computer power required to crack it quickly (or at all), but that is utter fantasy land bullshiat. Distributed systems like botnets can crack through SSL like a hot knife through butter, and SETI and other similar programs proved that ages ago.

This isn't theoretical, this is shiat I've dealt with in the real world. There is commercially available software that will break SSL by brute-force if you have a large enough botnet/system/MPP, and there are commercially available software for all of that too.And that's the stuff the "hackers" have. Imagine what the government agencies that have been at this for 60 years, and a couple trillion dollars, AND "national security" have going for them.

Current internet communications aren't secure, they never were, but for some reason a lot of people seem to think they are now, and that's just plain wrong.

I guess it is time for Congress to deliver on what must have been a promise by the agencies of another grant of immunity from lawsuits in favor of the companies that cooperated, to the extent they are not covered by the original one. And it may also have to immunize individual agents who acted for the government when the individual's employer was not cooperating, if there were any such cases, because the employer would have a claim against the employee.

Over in the TSA thread 4ts came out with some derp about how the US government is going to try to incentive people to adopt a government verified online identity, that would confer some benefit in return for which the user waives any right not to be tracked, the way many do in employment agreements. I suspect they see a future in which the norm would be for people to authenticate for all communications, all platforms.

4tehsnowflakes:I guess it is time for Congress to deliver on what must have been a promise by the agencies of another grant of immunity from lawsuits in favor of the companies that cooperated, to the extent they are not covered by the original one. And it may also have to immunize individual agents who acted for the government when the individual's employer was not cooperating, if there were any such cases, because the employer would have a claim against the employee.

Over in the TSA thread 4ts came out with some derp about how the US government is going to try to incentive people to adopt a government verified online identity, that would confer some benefit in return for which the user waives any right not to be tracked, the way many do in employment agreements. I suspect they see a future in which the norm would be for people to authenticate for all communications, all platforms.

It's cute that you're assuming that this is what subby is thinking. Of course it's a /computer/ reading your farking mail (and your phone, and your skype, and your usenet, and your irc, and your gopher, and your sftp, and anything else that goes down the fiber) and cataloging it and filed away to be used against you in the future, should you become a threat to the powers that be. So they can go back 20 years to find stuff to use against you.

GyrfalconBut my question is WHY would the NSA be reading my communications, encrypted or in the clear?Do they have time to detail someone to comb through my Facebook posts to my friends about our views on someone's difficulties with her boyfriend? Or another one's cat's antics?

Ever searched for an ex or someone else you know/knew on Google or Facebook out of curiosity?You used the tools that were available for you.The NSA is made up of (hundred?)thousands of people and contractors who drink beer, fart and scratch their privates in about the same proportion as the rest of the population.Given how Snowden could dump tons of data and go to Russia and publish stuff in the newspapers before anyone noticed, they don't seem to be all that worried about internal monitoring. So some of those thousands of people very likely decide to use the tools available to them.I remember a couple of threads on Fark about police officers abusing their access to data to stalk women; I don't see why NSA employees would be any different.

Or to reference your comment about your local cheeto-stained sysadmin:I would be surprised if there aren't quite a few cheeto-stained sysadmins or sexually-frustrated math nerds in NSA basements across the country.

We never dealt with domestic. With us, it was always war. We won the war. Now we're fighting the peace. It's a lot more volatile. Now we've got ten million crackpots out there with sniper scopes, sarin gas and C-4. Ten-year-olds go on the Net, downloading encryption we can barely break, not to mention instructions on how to make a low-yield nuclear device. Privacy's been dead for years because we can't risk it. The only privacy that's left is the inside of your head. Maybe that's enough. You think we're the enemy of democracy, you and I?

If "any code can be broken," then the the government wouldn't spend so much time trying to legally force you to incriminate yourself by making you hand over your passwords and encryption keys. They would simply decrypt your files without even bothering to contact you.

Sure they would. It's a win-win for them. If you cooperate, they weren't evil people who spied on you - you gave them the key. If you don't cooperate, they have one more reason to throw you in prison.

TheOnion:Until someone figures out how to quickly factor large prime numbers, modern public key encryption is effectively unbreakable. It's possible that the NSA has that kind of technology, but if they are withholding it they are holding back an incredibly important advancement in both mathematics and humanity. Which is probably the kind of thing they'd do

Just read this, was great http://www.amazon.com/The-Code-Book-Break-Crack/dp/0385729138/ref=sr_ 1 _4?ie=UTF8&qid=1378428556&sr=8-4&keywords=the+code+book

Yeah, if I release it to the public I get a Nobel and some cash along with hate from everyone who depends on that for their security. If I license it to the NSA I can live a life of ease cause they'll write me a check for a million a month just to keep it quiet. Seems like a no brainer unless you're a real attention whore.

bubo_sibiricus:Your Average Witty Fark User: NO ONE IS READING YOUR FARKING EMAIL

It's cute that you're assuming that this is what subby is thinking. Of course it's a /computer/ reading your farking mail (and your phone, and your skype, and your usenet, and your irc, and your gopher, and your sftp, and anything else that goes down the fiber) and cataloging it and filed away to be used against you in the future, should you become a threat to the powers that be. So they can go back 20 years to find stuff to use against you.

That's why this is being done.

That right there. If you ever become worthy of destroying, they can easily do that.

It doesn't matter what rights you believe you have. If you are unable to verify and assert them, they might as well not exist at all. This is why secrecy is so important to these organizations. You can not find redress against an invasion of your rights that you don't know exists. They exaggerated and contorted the meaning of the law until it was suitable to what was convenient for them and then used effectiveness as an excuse to not tell us, thus preventing us from seeing the obvious misrepresentation they were executing and correcting it.

Evil High Priest:bubo_sibiricus: Your Average Witty Fark User: NO ONE IS READING YOUR FARKING EMAIL

It's cute that you're assuming that this is what subby is thinking. Of course it's a /computer/ reading your farking mail (and your phone, and your skype, and your usenet, and your irc, and your gopher, and your sftp, and anything else that goes down the fiber) and cataloging it and filed away to be used against you in the future, should you become a threat to the powers that be. So they can go back 20 years to find stuff to use against you.

That's why this is being done.

That right there. If you ever become worthy of destroying, they can easily do that.

The Voice of Doom:GyrfalconBut my question is WHY would the NSA be reading my communications, encrypted or in the clear?Do they have time to detail someone to comb through my Facebook posts to my friends about our views on someone's difficulties with her boyfriend? Or another one's cat's antics?

Ever searched for an ex or someone else you know/knew on Google or Facebook out of curiosity?You used the tools that were available for you.The NSA is made up of (hundred?)thousands of people and contractors who drink beer, fart and scratch their privates in about the same proportion as the rest of the population.Given how Snowden could dump tons of data and go to Russia and publish stuff in the newspapers before anyone noticed, they don't seem to be all that worried about internal monitoring. So some of those thousands of people very likely decide to use the tools available to them.I remember a couple of threads on Fark about police officers abusing their access to data to stalk women; I don't see why NSA employees would be any different.

Or to reference your comment about your local cheeto-stained sysadmin:I would be surprised if there aren't quite a few cheeto-stained sysadmins or sexually-frustrated math nerds in NSA basements across the country.

Which goes back to "WHY"?

Yeah, I could find just about anyone, right now, with the tools available to me. I don't need to worry about breaking their encryption. Hell, I've done it. If someone wants to stalk me--or IS stalking me--or wants to stalk someone else--they don't need to be in the NSA to do it; they can use the tools available. It's why my street address is not on my driver's license or my billing statements and why I don't post "I'm at Joe's having lunch!" updates all over Facebook like so many of my friends.

So with all that, the real question is "WHY would the NSA (or any government agency) be looking at your communications UNLESS you are already on their radar?" This idea that they "might" be storing stuff up "in case" they might want to frame you or prosecute you at some future date because of something you could do in the future or if the government were to become more evil or totalitarian overlooks the fact that a) if you do something in the future that puts you on their scopes, they'll have plenty of material to bust you on and won't NEED your dallyings in the past, and b) if the government is that evil in the future, again, they won't need to have actual stuff to bust you on, they'll just invent whatever they don't have.

Either a government is bound by rules of law or they aren't--and in either case, they won't be relying on stored data that is years or decades old to put someone in prison. They'll either have legitimate new data or they'll just create illegitimate new data. And insofar as weird stalkers or criminals--again, they don't need encrypted data when people so obligingly put that info out on Facebook and Twitter for all to see.

dittybopper:1. Working behind the scenes to keep the public encryption standards just weak enough that they can break them if they want to.2. Building back-doors into a lot of popular software.3. Working on things like keyloggers and other ways to pull the data off targeted devices without having to break the encryption.4. Working tirelessly on new decryption algorithms, and specialized supercomputers to run them effectively.

I'm okay with #3 and #4; that's in line with their mandate. It's #1 and #2 where I draw the line. NSA's other mandate used to be to secure the communications of US persons, both meat-based and corporate. It took NSA 10-15 years to get over the stigma of the rumors that they farked with the S-boxes to put a back door in DES, before the community finally realized they'd been trying, as hard and as quietly as they could, to help.

Today I learned that the tinfoil hats of the 80s weren't wrong, they were just a few decades ahead of their time. How well can any business trust the AES-NI instruction set in that spiffy CPU of theirs?

I have no skeletons in my closet. None. No amount of peeking into my Facebook or Gmail account is going to yield blackmail-able information about me, because nothing of the kind exists. I am an honest-to-God upstanding citizen. I don't drink and drive. I've never been arrested. I've never attended a protest. I don't have any porn of any type on my computer. I've never cheated on anyone. I vote in every election. And so on and so forth...

What bothers me is that the NSA (or whoever) may need a scapegoat for something down the road, and I might just be too convenient for that purpose, in which case they would have to LIE and invent "evidence" in order to make such an accusation stick, which may include information that they claim they got through NSA surveillance (but wouldn't be able to disclose exactly how, since that information needs to be kept confidential for national security purposes). In which case it doesn't matter what my "rights" are; I will have no protections whatsoever.

/Keep your plaintext and keys off of electronic devices.//Pencil and paper FTW.

But the duplication and distribution are the big weaknesses. Great for single important messages, labourous for day to day chatter.

True, but think about it: How many of your communications are actually inane and/or unimportant?

It's a large fraction, I'll bet.

Duplication of the keys themselves isn't a problem. You make the duplicate when you make the original, either using carbon paper, which is getting harder to find and must be destroyed afterwards, or two-part carbonless forms.

When you type the pads on your manual typewriter*, you are making the original, and a copy for your correspondent.

Distribution isn't as big a problem as people make it out to be. You can transfer a whole lot of pads all at once in a physical transfer. If you can't afford to be seen together, do a dead drop. Or you could just mail them in tamper-evident packaging. It doesn't have to be tamper*PROOF*, you just have to be able to detect that it's been opened. Foil and superglue, combined with tell-tales, make an excellent and cheap way to do that.

*The big vulnerability is electronic devices. Never use them to generate pads.

It's been a long time since I read "The Code Book" and someone correct me if I'm wrong, but can't you crack SSL by factoring two large prime integers that were multiplied together? I remember reading about the "assumption" that there wasn't a good way to do it, so they assumed the transmission was secure. That was 10 years ago. I imagine they have a good way of doing it now.

Gyrfalcon:IF I was doing anything wrong or illegal, guess what. None of it would be via computer anyway, and very likely not even by phone. It would be so far off the grid that the NSA wouldn't even know where to look for it--like the Unabomber did.

AverageAmericanGuy:Your Average Witty Fark User: AverageAmericanGuy: Your Average Witty Fark User: I think it's cute how subtard thinks there is someone sitting at a workstation, reading their email.

No I don't. I think subtard is farking stupid, like most of America.

NO ONE IS READING YOUR FARKING EMAIL

/gfy

No, but a computer program is and is flagging some for further scrutiny.

Kind of like how the East German Stasi would open letters passing through the mail to flag people for reeducation.

Your Average Witty American isn't having ANY of their correspondence "flagged for further scrutiny".

Everyone is up in arms over NOTHING. Wah. Cry me a river.

Well, the content would have to be interesting to be flagged, so I can see where you're coming from.

That's exactly my point. If you're emailing grandma to thank her for that swell sweater she got you for your birthday, no one is going to read it. If you're setting up a tryst with your 19 year old college cheerleader girlfriend behind you're wife's back, no one is going to read it. If you're texting your buddy "hey bro u me n a 6pack 4 NFL 2nite?" no one is going to read it. You have to really go out of your way to be a slimy sack of homeland security threatening shiat to get your email or text messages read. I highly, HIGHLY doubt any of us is sending emails/texts that would get flagged for further review. It's common sense for most people. Other people like to get worked up over nothing.

Your Average Witty Fark User:AverageAmericanGuy: Your Average Witty Fark User: AverageAmericanGuy: Your Average Witty Fark User: I think it's cute how subtard thinks there is someone sitting at a workstation, reading their email.

No I don't. I think subtard is farking stupid, like most of America.

NO ONE IS READING YOUR FARKING EMAIL

/gfy

No, but a computer program is and is flagging some for further scrutiny.

Kind of like how the East German Stasi would open letters passing through the mail to flag people for reeducation.

Your Average Witty American isn't having ANY of their correspondence "flagged for further scrutiny".

Everyone is up in arms over NOTHING. Wah. Cry me a river.

Well, the content would have to be interesting to be flagged, so I can see where you're coming from.

That's exactly my point. If you're emailing grandma to thank her for that swell sweater she got you for your birthday, no one is going to read it. If you're setting up a tryst with your 19 year old college cheerleader girlfriend behind you're wife's back, no one is going to read it. If you're texting your buddy "hey bro u me n a 6pack 4 NFL 2nite?" no one is going to read it. You have to really go out of your way to be a slimy sack of homeland security threatening shiat to get your email or text messages read. I highly, HIGHLY doubt any of us is sending emails/texts that would get flagged for further review. It's common sense for most people. Other people like to get worked up over nothing.

Well, then there's nothing to worry about, is there. I don't have any bombs in my luggage either. I don't even both with the TSA lock anymore, if the government wants to search my stuff, it must be for a good reason. Who am I to feel uncomfortable that my privacy is gone?